357 Lotus blogs updated hourly. Who will post next? Home | Downloads | Events | Pods | Blogs | Search | myPL | About 
Sorry, no records were found!
Latest 7 Posts
Increasing the number of posts per page on category, tag, and archive pages in WordPress
Thu, Aug 18th 2011 84
Zero day vulnerability in many WordPress themes
Wed, Aug 3rd 2011 63
WordPress XML Sitemap Plugin Review
Tue, Aug 2nd 2011 79
How to display nicely formatted PHP code in a WordPress post
Thu, Jul 21st 2011 66
Updating Price PHP print statements in Ubercart
Tue, Jul 19th 2011 52
How to dynamically set Facebook Opengraph Meta tags in WordPress headers
Fri, Jul 15th 2011 84
Theming fields in Drupal 6
Wed, Jul 6th 2011 70
Top 10

Adding exceptions for Apache mod_sec 2.5

I have some developers working on a site on a cPanel/WHM CentOS 5 server which has Apache running with the mod_security or mod_sec module running. This is a module that prevents several types of attacks against the server. It is sometimes referred to as an open source intrusion detection and prevention engine for web applications, or web application firewall.

To make a long story short, you can place rules in a configuration file, and if those rules are triggered during an HTTP request, the client is refused, usually with an HTTP 406 error.

Anyway, the developer’s IP address was getting added to the blocked list the CSF firewall, which basically blocked any type of access to the server from their IP addresss (HTTP, SSH, FTP, etc.)

Looking in the mod_security log, I could see what was happening.
HTTP Request

/sites/all/modules/code_attributes/admin_save_code_attributes_ajax.php?aid=1,2,3,4,5,6,7,8,9,10&dec=Major%20genre,Minor%20genre,Rating,Beat,Energy,BPM,Adjective%20-%20Feel,Adjective%20-%20Color,Adjective%20-%20Dynamic,Adjective%20-%20Mood&sel=S,S,S,S,S,M,M,S,S,M&leftm=35,40,104,110,114,10,70,0,0,0&it=checkbox,checkbox,select,checkbox,select,checkbox,checkbox,checkbox,checkbox,checkbox&sec=1,2,3,3,3,3,4,5,5,5&iid=genre1,genre2,rating,beat,energy,bpm,adjFeel,adjColor,adjDynamic,adjMood&dw=95%,95%,17%,35%,20%,24%,90%,33%,33%,33%&vior=5,5,1,2,1,1,5,2,2,2&dbn=tracks_ownership.majorGenreID,tracks_ownership.minorGenreID,tracks_ownership.ratingID,tracks_ownership.beat,tracks_ownership.energy,tracks_ownership.bpm,user_selected_values.attributeValueID,user_selected_values.attributeValueID,user_selected_values.attributeValueID,user_selected_values.attributeValueID&itv=—-,—-,—-,—-,—-,numeric,—-,—-,—-,—- HTTP/1.1

Mod Security Message

Access denied with code 406 (phase 2). Pattern match “%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})” at ARGS:dw. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "20"] [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"]

Apache error_log

[Mon Sep 27 09:06:36 2010] [error] [client] ModSecurity: Access denied with code 406 (phase 2). Pattern match “\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})” at ARGS:dw. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "20"] [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "mydomain.com"] [uri "/sites/all/modules/code_attributes/admin_save_code_attributes_ajax.php"] [unique_id "TKCW3EKT7zoAAD8UHh0AAAAK"]

Actual Mod_sec rule

# Check decodings
“chain, deny,log,auditlog,msg:’URL Encoding Abuse Attack Attempt’,id:’950107′,severity:’4′”

I could remove the whole rule, which is not recommended especially since it is a core mod_security 2.5 rule, but the best thing to do is to create a localrules exception.

This is done by creating a file in /etc/httpd/modsecurity.d/modsecurity_localrules.conf
Adding these lines to the files – NOTE that the rule ID has been used:
# Exceptions for mydomain.com
<LocationMatch> '^/sites/all/modules/code_attributes/admin_save_code_attributes_ajax.php'>
SecRuleRemoveByID 950107

You should also add an include in /etc/httpd/conf/modsec2.conf/ that looks like this:

Include “/usr/local/apache/modsecurity.d/modsecurity_localrules.conf”

It should be included within the mod_security2.c ifmodule statement

Note that /usr/local/apache/ is symlinked with /etc/httpd/

You can stop and start or restart Apache with the following commands:
> service httpd stop
> service httpd start
or just
> service httpd restart

You should take a look at the apache error_log to make sure that there are not errors. If there is something wrong with your modsecurity configuration, Apache will more than likely not start.

You can tell which version of mod_security you are using by stopping and starting Apache and taking a look at the error_log.

> tail /etc/httpd/logs/error_log
[Mon Sep 27 15:57:37 2010] [notice] ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/) configured.
[Mon Sep 27 15:57:38 2010] [notice] Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 configured -- resuming normal operations

Sep 27, 2010
15 hits

Sorry, no records were found!
Recent Blog Posts

Created and Maintained by Yancy Lent - About - Blog Submission - Suggestions - Change Log - Blog Widget - Advertising - Mobile Edition